| Trees | Indices | Help |
|
|---|
|
|
A Struct is an object which represents a c struct
Structs have members at various fixed relative offsets from our own base offset.
| Nested Classes | |
|
__metaclass__ Give each object a unique ID. (Inherited from rekall.obj.BaseObject) |
|
| Instance Methods | |||
|
|||
|
|||
|
|||
|
|||
|
|||
|
|||
|
|||
|
|||
|
|||
|
|||
|
|||
|
|||
|
|||
|
|||
|
|||
|
|||
|
|||
|
|||
|
|||
|
|||
|
|||
|
|||
|
|||
|
|||
|
|||
|
|||
|
|||
|
|||
|
|||
|
|||
|
|||
|
|||
|
Inherited from |
|||
| Class Methods | |||
|
|||
| Class Variables | |
obj_name = <No name>
(Inherited from rekall.obj.BaseObject)
|
|
obj_parent = <No parent>
(Inherited from rekall.obj.BaseObject)
|
|
obj_producers = Nonehash(x) (Inherited from rekall.obj.BaseObject) |
|
| Properties | |
|
indices Returns (usually 1) representation(s) of self usable as dict keys. |
|
| obj_size | |
| obj_end (Inherited from rekall.obj.BaseObject) | |
|
parents Returns all the parents of this object. (Inherited from rekall.obj.BaseObject) |
|
|
Inherited from |
|
| Method Details |
This must be instantiated with a dict of members. The keys
are the offsets, the values are Curried Object classes that
will be instantiated when accessed.
Args:
members: A dict of callables to use for retrieving each member. (Key
is member name, value is a callable). Normally these are populated
by the profile system
struct_size: The size of this struct if known (Can be None).
|
hash(x)
|
Return our offset as an integer. This allows us to interchange Struct and offsets. |
The number of bytes before the object which are part of the object. Some objects are preceeded with data before obj_offset which is still considered part of the object. Note that in that case the size of the object includes the preamble_size - hence object_end = obj_offset + obj_size - obj.preamble_size() |
repr(x)
|
|
When a struct is evaluated we just return our offset.
|
Fetch the member named by attr. NOTE: When the member does not exist in this struct, we return a NoneObject instance. This allows one to write code such as: struct.m("Field1") or struct.m("Field2") struct.m("Field2") To access a field which has been renamed in different OS versions. By default this method does not allow callable methods specified in overlays. This is to enable overriding of normal struct members by callable properties (otherwise infinite recursion might occur). If you really want to call overlays, specify allow_callable_attributes as True.
|
Retrieve a set of fields in order. If a field is not found, then try the next field in the list until one field works. This approach allows us to propose a set of possible fields for an attribute to support renaming of struct fields in different versions. |
Walk a single linked list in this struct. The current object can be optionally yielded as the first element. Args: list_member: The member name which points to the next item in the list. |
| Property Details |
indicesReturns (usually 1) representation(s) of self usable as dict keys. Using full base objects for indexing can be slow, especially with Structs. This method returns a representation of the object that is a suitable key - either the value of a primitive type, or the memory address of the more complex ones.
|
obj_size
|
| Trees | Indices | Help |
|
|---|
| Generated by Epydoc 3.0.1 on Mon Oct 9 03:27:54 2017 | http://epydoc.sourceforge.net |
